Monthly Archives: July 2017

Charles Leaver – Worried About Endpoint Products Integrating With Your Security Architecture? Not With Ziften

Published by:

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


Security professionals are by nature a careful bunch. Being cautious is a characteristic most folks likely have entering this market given its mission, however it’s also certainly a characteristic that is acquired gradually. Ironically this holds true even when it concerns including extra security precautions into an already established security architecture. While one might assume that more security is better security, experience teaches us that’s not necessarily the case. There are in fact numerous concerns connected with deploying a new security product. One that generally appears near the top of the list is how well a brand-new product integrates with other incumbent products.

Integration concerns are available in a number of tastes. First and foremost, a new security control should not break anything. However in addition, new security services need to willingly share threat intelligence and act upon hazard intelligence collected throughout an organization’s entire security infrastructure. In other words, the new security tools must work together with the existing ecosystem of tools in place such that “1 + 1 = 3”. The last thing that most IT and security operations teams need is more siloed products/ tools.

At Ziften, this is why we have actually always concentrated on building and providing an entirely open visibility architecture. Our company believe that any new systems and security operations tools have to be created with improved visibility and information sharing as essential design requirements. However this isn’t a one-way street. Developing basic integrations requires technology collaborations with market vendors. We consider it our duty to deal with other technology companies to equally integrate our services, hence making it easy on customers. Unfortunately, many suppliers still think that integration of security services, especially brand-new endpoint security services is incredibly difficult. I hear the concern constantly in consumer conversations. However information is now appearing revealing this isn’t always the case.

Current study work by NSS Labs on “advanced endpoint” services, they report that Worldwide 2000 customers based in North America have actually been happily amazed with how well these types of products integrate into their already established security architectures. According to the NSS research study titled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS consequently presented in the BrightTalk webinar listed below, participants that had currently released advanced endpoint items were far more positive regarding their ability to integrate into existing security architectures than were participants that were still in the planning stages of purchasing these products.

Specifically, for participants that have actually already released sophisticated endpoint products: they rate integration with already established security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Terrible) 0.0 %

Compare that to the more conservative responses from people still in the planning phase:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Dreadful) 3.6 %

These responses are encouraging. Yes, as noted, security people tend to be pessimists, but in spite of low expectations participants are reporting favorable results when it comes to integration experiences. In fact, Ziften consumers usually display the very same preliminary low expectations when we initially go over integrating Ziften products into their already established ecosystem of services. However in the end, clients are wowed by how easy it is to share information with Ziften products and their existing infrastructure.

These survey results will hopefully help ease issues as newer service adopters might check out and rely on peer suggestions prior to making purchase choices. Early mainstream adopters are plainly having success deploying these services and that will ideally help to reduce the natural cautiousness of the real mainstream.

Definitely, there is significant differentiation between products in the space, and organizations ought to continue to perform proper due diligence in comprehending how and where services integrate into their broader security architectures. But, fortunately is that there are services not only meeting the needs of clients, however actually out performing their initial expectations.

Charles Leaver – Flaw In Petya Variant Wreaks Havoc But Customers Of Ziften Protected

Published by:

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Another outbreak, another headache for those who were not prepared. While this newest attack resembles the earlier WannaCry danger, there are some differences in this latest malware which is a variant or brand-new strain much like Petya. Called, NotPetya by some, this strain has a lot of problems for anybody who encounters it. It may encrypt your data, or make the system entirely unusable. And now the email address that you would be required to contact to ‘perhaps’ unencrypt your files, has actually been taken down so you run out luck retrieving your files.

Lots of information to the actions of this threat are publicly available, but I wished to discuss that Ziften clients are safeguarded from both the EternalBlue exploit, which is one mechanism used for its propagation, and even better still, a shot based upon a possible flaw or its own kind of debug check that eliminates the hazard from ever performing on your system. It could still spread nevertheless in the environment, but our defense would currently be presented to all existing systems to stop the damage.

Our Ziften extension platform enables our consumers to have security in place versus certain vulnerabilities and harmful actions for this hazard and others like Petya. Besides the particular actions taken versus this specific variant, we have actually taken a holistic approach to stop particular strains of malware that perform numerous ‘checks’ against the system prior to operating.

We can likewise utilize our Search ability to search for remnants of the other proliferation techniques utilized by this danger. Reports reveal WMIC and PsExec being used. We can search for those programs and their command lines and usage. Even though they are legitimate procedures, their use is generally uncommon and can be alerted.

With WannaCry, and now NotPetya, we anticipate to see an ongoing increase of these types of attacks. With the release of the recent NSA exploits, it has given ambitious hackers the tools needed to push out their wares. And though ransomware threats can be a high commodity vehicle, more harmful risks could be launched. It has constantly been ‘how’ to get the hazards to spread out (worm-like, or social engineering) which is most challenging to them.

Charles Leaver – UK Parliament Play The Blame Game Instead Of Fixing Insecurities

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


In cyberspace the sheep get shorn, chumps get chewed, dupes get deceived, and pawns get pwned. We’ve seen another great example of this in the current attack on the UK Parliament email system.

Rather than admit to an e-mail system that was not secure by design, the main statement read:

Parliament has strong measures in place to safeguard all of our accounts and systems.

Tell us another one. The one protective measure we did see at work was blame deflection – pin it on the Russians, that always works, while implicating the victims for their policy infractions. While details of the attack are scarce, combing different sources does help to assemble at least the gross outlines. If these stories are reasonably close, the United Kingdom Parliament e-mail system failings are scandalous.

What went wrong in this case?

Count on single aspect authentication

“Password security” is an oxymoron – anything password secured alone is insecure, that’s it, irrespective of the strength of the password. Please, no 2FA here, may hinder attacks.

Do not enforce any limitation on failed login efforts

Facilitated by single element authentication, this permits easy brute force attacks, no skill required. However when attacked, blame elite state sponsored hackers – no one can validate.

Do not carry out brute force attack detection

Permit hackers to conduct (otherwise trivially noticeable) brute force violations for extended periods (12 hours versus the UK Parliament system), to maximize account compromise scope.

Do not impose policy, treat it as simply recommendations

Combined with single factor authentication, no limitation on failed logins, and no brute force attack detection, do not impose any password strength validation. Supply assailants with extremely low hanging fruit.

Count on anonymous, unencrypted e-mail for delicate communications

If enemies do prosper in compromising email accounts or sniffing your network traffic, supply a lot of chance for them to score high value message content entirely in the clear. This also conditions constituents to trust easily spoofable e-mail from Parliament, developing an ideal constituent phishing environment.

Lessons learned

In addition to including “Good sense for Dummies” to their summertime reading lists, the United Kingdom Parliament e-mail system administrators may wish to take further actions. Reinforcing weak authentication practices, implementing policies, improving network and endpoint visibility with constant monitoring and anomaly detection, and completely reassessing secure messaging are suggested actions. Penetration testing would have discovered these fundamental weaknesses while staying outside the news headlines.

Even a couple of clever high schoolers with a complimentary weekend could have duplicated this attack. And lastly, stop blaming the Russians for your own security failings. Presume that any weaknesses in your security architecture and policy framework will be probed and exploited by some party somewhere throughout the international internet. All the more incentive to discover and fix those weak points prior to the enemies do, so turn those pen testers loose. And after that if your protectors don’t cannot see the attacks in progress, update your tracking and analytics.

Charles Leaver – IT And Security Working Closer Together With SysSecOps

Published by:

Written By Charles Leaver Ziften CEO


It was nailed by Scott Raynovich. Having worked with numerous organizations he understood that one of the biggest obstacles is that security and operations are 2 different departments – with significantly varying goals, different tools, and different management structures.

Scott and his analyst firm, Futuriom, just completed a study, “Endpoint Security and SysSecOps: The Growing Pattern to Develop a More Secure Business”, where one of the essential findings was that clashing IT and security objectives prevent experts – on both groups – from attaining their goals.

That’s precisely what we believe at Ziften, and the term that Scott produced to talk about the convergence of IT and security in this domain – SysSecOps – describes perfectly what we have actually been discussing. Security groups and the IT teams should get on the very same page. That suggests sharing the very same objectives, and in some cases, sharing the very same tools.

Think about the tools that IT individuals utilize. The tools are created to make sure the infrastructure and end devices are working properly, and when something fails, helps them repair it. On the endpoint side, those tools will guarantee that devices that are allowed onto the network, are set up effectively, have software that’s authorized and properly updated/patched, and haven’t recorded any faults.

Think of the tools that security individuals use. They work to impose security policies on devices, infrastructure, and security devices (like firewalls). This may include active monitoring incidents, scanning for abnormal behavior, taking a look at files to ensure they don’t consist of malware, embracing the current risk intelligence, matching against recently discovered zero-days, and performing analysis on log files.

Finding fires, fighting fires

Those are two different worlds. The security teams are fire spotters: They can see that something bad is taking place, can work rapidly to isolate the issue, and identify if harm happened (like data exfiltration). The IT teams are on the ground firefighters: They leap into action when an event strikes to guarantee that the systems are secure and revived into operation.

Sounds great, doesn’t it? Unfortunately, all too often, they don’t speak with each other – it resembles having the fire spotters and fire fighters using dissimilar radios, dissimilar jargon, and different city maps. Worse, the groups can’t share the exact same data directly.

Our technique to SysSecOps is to provide both the IT and security teams with the very same resources – which implies the exact same reports, provided in the proper ways to professionals. It’s not a dumbing down, it’s working smarter.

It’s ludicrous to operate in any other way. Take the WannaCry infection, for instance. On one hand, Microsoft released a patch back in March 2017 that dealt with the underlying SMB flaw. IT operations teams didn’t set up the patch, since they didn’t think this was a big deal and didn’t speak with security. Security groups didn’t know if the patch was installed, due to the fact that they don’t talk to operations. SysSecOps would have had everyone on the very same page – and could have possibly prevented this problem.

Missing data means waste and danger

The dysfunctional gap in between IT operations and security exposes companies to risk. Avoidable danger. Unnecessary risk. It’s just unacceptable!

If your organization’s IT and security groups aren’t on the very same page, you are sustaining risks and costs that you should not have to. It’s waste. Organizational waste. It’s wasteful because you have so many tools that are offering partial data that have spaces, and each of your groups just sees part of the picture.

As Scott concluded in his report, “Coordinated SysSecOps visibility has actually currently shown its worth in assisting organizations examine, analyze, and avoid substantial dangers to the IT systems and endpoints. If these objectives are pursued, the security and management risks to an IT system can be considerably lessened.”

If your teams are interacting in a SysSecOps kind of method, if they can see the same data at the same time, you not only have much better security and more efficient operations – however likewise lower danger and lower expenses. Our Zenith software application can help you accomplish that performance, not just dealing with your existing IT and security tools, but also filling in the gaps to make sure everybody has the ideal data at the correct time.